Over the last few days after our launch we have had quite a few emails and visitors to our irc channel with people asking questions about the site, the framework and serious questions about social engineering itself. One intriguing question is, “How Does One Become a Social Engineer?” It may be the opinion of some that “Social Engineering is just believing in your lie” or “SE is a matter of who is the best liar” and even “Social Engineering is a matter of just making up a believable story.” Some believe that social engineering is no more than smoke and mirrors and conning people, which is usually the case with companies who are trying to sell you security products.
While all of these things may be factors, we feel they are not the whole story. We thought we would reach out and try to dispel some of these myths by writing a small series of articles about this question. The series will be called “How To Become a Social Engineer” and will be broken down into the many aspects one will need to master to even consider this. In this first of the series we will cover the most important aspect of social engineering.
First off, we should mention that famous social engineers such as Mitnick, the Badir Brothers, Frank Abagnale at times possess a skill or personality that seems inherent and use that skill for social engineering. While the things we will outline may never turn you into one of the famous social engineers, they sure can enhance your abilities.
When we think about the skills that a great social engineer will possess like pretexting, elicitation, information gathering skills, interrogation skills, influence skills, manipulation skills and then throw in there some possible physical security skills… well it can be quite overwhelming. While it is true, that certain personality types can learn certain aspects of social engineering easier, we believe it is not too hard to at least begin a program where with time and effort you can achieve a level of success.
So what steps can one take to try and enhance their social engineering skills? To properly identify this lets break down what a social engineering attack consists of.
Probably the biggest piece of the puzzle is….information. Information is single- handedly the most important aspect of social engineering. Information helps us prepare, plan and execute. Lacking information is certainly equal to failure. The Information Gathering section of The Social Engineering Framework puts into great detail this vital part of social engineering, but let’s break it down to some simpler steps.
Research and Tools
Knowing how to do research and where to look are vital aspects of information gathering. This means practicing everything from getting your google-fu on to how to ask good questions.
Imagine you want to do research on (insert company name here), what is the first logical step? Browse to their website. Don’t just meagerly peruse the site, but read it. Get what they do, how they do it. What are the names of any staff mentioned there? Any special events listed? Are there pages that link to awards or articles they have written or achieved? Any, even seemingly insignificant, piece of information can be important down the road.
Probably before you even get to this point you want to have a file started on them. In this file you are organizing and cataloging this information in a fashion that will make it easy for your to use later on.
After you are done thoroughly scraping the site maybe you move on to other forms of information gathering. Can you call them and ask targeted questions that will give you more information? Can you talk to a competitor about them and find out information? Can you work up a personal conversation with an employee and gather more information? All of these avenues will require some forethought and a definite plan as to your goals. You cannot approach an employee and throw a barrage of questions at them till they answer. Instead the conversation may take on a very simplistic and friendly nature with the goal of just finding out one or two small pieces of information. When this was done to an AOL representative it lead to the hacking of over 200 accounts, just by exchanging very friendly information.
Just what type of information you are seeking is dependent on your goal with the company. In a normal penetration test you are trying to see if information could lead to a security breach. Of course, it would be nice if within the first few minutes the target gave up all their passwords and user names, but that most likely will not happen. So our goal is find out information about their company structure? Who is on vacation? Anyone seem unhappy with their job? What are their policies on USB keys? External CD’s? What type of security do they use physically? These are some of the target items we may wish to acquire… or we may wish to simply find out what is the standard email layout? Name of the CFO? How many servers they have?
All of these tidbits of information can lead us to a path of total ownage. Learning how to do effective research can be a key to success and being good at it can certainly assist you in becoming a true social engineer.
This is really only half (maybe 1/3) the battle. We need to discuss tools you can you use to gather this data and then probably the most important part… what do you do with it all?
Tune in next time when we discuss tools for information gathering.
Have any input on this post or ideas for future posts email us at contribute [email protected] social-engineer.org